Oh Crumbs: Time to Review Third-Party Cookies

Google's purge of third-party cookies began January 4 this year, to be phased out by Q3, 2024. The implications are far-reaching - millions of businesses around the globe that are heavily dependent on third-party cookies, will need to audit their use of cookies, grasp various use cases and select necessary solutions.

GDPR vs. Chrome: Am I already compliant if I comply to GDPR?

Chrome's crack down is wider than GDPR in that it's cracking down on third-party cookies entirely, not just components of tracking. The General Data Protection Regulations (GDPR) mainly target advanced advertising features like remarketing and demographic interest reporting. Threatened by huge fines for noncompliance, many websites selling the EU went kinda overboard with their compliance popups, interrupting the entirety of the internet experience in the process.

For this reason, yes, a GDPR compliant website is more likely to be on top of consent requirements as they've been complying with tighter privacy regulations for years. Still, EU websites owners will need to review their current consent requirements to make sure they are up-to-scratch and revisit their attribution modeling.

Is the Chrome cookie phase out tougher than GDPR?

Some say the Chrome change may be tougher than GDPR because Google is shifting the burden of privacy compliance from the platform's side to ours. Not just in Europe, globally.

How do I know if my website is a part of the initial roll-out?

Your website isn't a part of the Chrome roll-out per say, but your use of the browser may be. If your Chrome installation is a part of the initial 1% implementation plan, you'll receive a notification when you open Chrome. You'll also see an 'eye' in the Chrome address bar for websites that aren't yet compliant, as pictured below.

You'll be able to click the eye icon in Chrome to see info about Tracking Protection.

How will Google Chrome's cookie phase out impact Australian businesses?

Many Australian businesses are way behind the eight ball on the privacy front but that's not entirely their fault - Australia doesn't have any regulatory guidance specific to cookie consent requirements. However, Google Chrome's phase out means Australian website owners will need to review their set-up, or, their website may not work properly in Chrome.

Considering Chrome is used by the majority of internet users, it's a change that's may catch a whole lot of businesses unawares. Web traffic analysis company Statcounter illustrates Chrome is used by almost 70% of internet users.

So, if you want your website to keep working in Chrome, (which you probably do), it's time to get-on-board the privacy-consent train.

Is this the end of third-party cookies?

No, the cookie phase on Chrome doesn't represent the end of third-party cookies, it represents the need for improved end-user consent to process personal data. This has always been the paradox for advertisers - end users get irritated at irrelevant ads but disdain the data personalisation requires.

Ironically, the third-party cookie phase out is strengthening tracking...

Ironically, the third-party cookie phase out is strengthening tracking, as advertisers and related platforms learn to work around it. New tech like trust tokens offer a greater level of certainty around reidentification of users, but a website owner will still need to be compliant to any regulation developments.

Impact on website functionality
‍

Your website may break with third-party cookies disabled.

If your website is mysteriously breaking in Chrome, it may be being impacted by Google's initial phaseout of third-party cookies. 1% of Chrome users will be impacts in the initial trial, before it's rolled out across the entirety of Chrome at the end of Q3, 2024.

Google's VP for the new Privacy Sandbox, Anthony Chavez explains, "If a site doesn't work without third-party cookies and Chrome notices you're having issues... we'll prompt [the user] with an option to temporarily re-enable third party cookies for that website."

Here's an example of what that prompt will look like in Chrome:

Make sure you're compliant. You can also file an issue on Google's breakage tracker or request additional migration time with the third-party cookie deprecation trial for non-advertising use cases.

How to see if your website still works without third-party cookies

You can test whether your website will break when Chrome blocks third-party cookies by simulating Chrome's state after the phase out. This is usually done by a developer, but if you do want to DIY, here's a guide:

1. Open Chrome and throw the following in the address bar: chrome://flags/#test-third-party-cookie-phaseout
2. Enable the test 'Test Third Party Cookie Phaseout', as shown in the image below.
3. Restart Chrome and open the website you want to test
4. If there is an eye with a cross through it in the URL address bar, your site is impacted.
5. Here's how you review what cookies may need replacing: right click, and select 'inspect' from the menu. Select 'Elements', 'Issues', and you'll see the red flags.
6. Work with your devs or advertising specialists to investigate third-party alternatives and clean up your tags. If you're a marketer, you might like to book a time with the Google Tag Team. Review your user journey to prioritise only essential data tracking. Added bonus: culling tags will improve your website load times, and thus user experience.

Cleaning up tracking gets complicated. Here's Google's official guide to auditing your use of cookies.

Why is Google removing cookies?

Google's removing cookies to address competition concerns of the UK's Competition and Markets Authority (CMA). The investigation has had global ramifications for Google, but the CMA accepted commitments offered by Google to address detailed concerns. Part of Google's response is to offer what they describe as a privacy sandbox with open standards for tracking users while protecting their privacy.

The shift also reflects market sentiment - a Pew Research Center study of just over 5000 people revealed 81% consider the risks of data collection outweigh the benefits. If marketers, businesses and ad platforms don't evolve to address the growing concerns people have about their privacy, we risk the entire user experience of the web.

How is Google replacing cookies?

Advances in aggregation, anonymization and other privacy-preserving tech is paving the way to replacing third-party cookies. However, Google has said that they are not replacing cookies.

In 2021, Google announced that they will not build alternate identifiers to cookies to track individuals as they browse across the web, however, that doesn't mean others, won't. At the time, Head of Product Management, Ads Privacy and Trust, David Temkin explained, "We realize this means other providers may offer a level of user identity for ad tracking across the web that we will not... We don't believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions, and therefore aren't a sustainable long-term investment." 

Temkin goes on to explain that Google's web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers.

Alternatives to Third-Party cookies

Most alternatives to third-party cookies still require consent. Here are some of the alternatives to third-party cookies that website owners may consider exploring:

• CHIPs: Cookies Having Independent Partitioned State allows for cookies to be set by a third-party service, but only read within the context of the first-party site. For example, embedding a third-party chat box on site.
• First party data is high priority for advertisers. This is basically user data you've collected yourself as a business. If you've recorded consent, this data can be integrated with ad targeting platforms to support audience targeting. Think of this in the context of Google ads: anyone target the same keyword as your business, but no-one else has the insights that you have about your customers.
• Hashed email addresses: this is method of encrypting an email address. The code remains the same no matters if the email is used on different platforms, browsers or devices. This can then be used for targeted advertising.
• 'Private State Tokens', formerly referred to as 'Trust tokens'. These signal to platforms that the user is legit, and not a bot or malicious third-party, and can also be used to create a seamless purchase journey and reduce friction at checkout by eliminating repetitive authentication steps.
• Fingerprinting is a controversial alternative - it's a set of information that's collected from devices after each use, that advertisers can link back to a user. This information is a set of characteristics that is mostly unique to an individual, creating a digital 'fingerprint'. It can't be deleted like cookies, so some firms have been using them to get around cookie blocking.
• Server-to-server tracking (S2S): direct comms between the ad platform's server and the publisher's server eliminates the need for third-party cookies. For example, let's say a visitor clicks a partner's link. If that user later converts, a unique ID is matched back to that user.
• Related website sets (RWS): A company can declare relationships among sites, such as domains for different countries, to allow limited third-party cookies to keep users logged in for example.
• Consent Management Platforms (CMPs): These manage all the privacy requirements for you. However, note that all of these, as well as CMPs can impact website load times and user experience.

Privacy advocates are concerned that third-party cookie alternatives are not improving privacy - some have the potential to be better for advertising platforms, not users, because they are actually offering a greater level of certainty around reidentification of users. Advocates are calling for, you guessed it, informed consent. And, it's the consent requirement that isn't going away. The EU's General Data Protection Regulation (GDPR) has created a benchmark for other countries, and many are in the process of updating requirements to follow suit.

That's just how the cookie crumbles.

How do I know if my website is using third-party cookies?

If your website uses any kind of analytics from larger tech companies like Meta or TikTok, you'll be using third-party cookies. There are a few ways to see what third-party cookies are being used, but one of the easiest ways is to use a compliance test. Consent management platform Cookiebot has a handy compliance test to check if your websites use of cookies and online tracking is compliant.

Is Google Analytics a third-party cookie?

Technically, no, but you do need to switch a few things on in Google's new property, GA4. Retargeting for example did require third-party cookies but a new feature in GA4 offers a Protected Audience API which will enable remarketing without third-party cookies.

What do I need to do to ensure compliance?
‍

Clean up your third-party cookies

Third-party cookies collect personal data from end-users, which means they are only really legal to use if you have obtained explicit consent. Unfortunately, this means websites with third-party cookies need those annoying popups that negatively impact engagement, and thus, return on ad spend. This tends to be why site owners procrastinate on implementing consent forms too - because as much as website users dislike cookies, they hate pop-ups too!

However, for all tracking, it's universally considered best practice to offer preference management for users. While this is not a legal requirement in all countries or states, it's quickly becoming a universal standard.

• Inform users of what cookies and trackers you are using.
• Include their providers, purpose and duration.
• Have a 'Cookie Policy' seperate from the Privacy Policy

For many countries it's also becoming a standard to document consent using something like a Google-certified Consent Management Platform (CMP) or well-connected CRM system.

Overall, the best way to support compliance is to practice ethical targeting as a business. Part of that is understanding how to facilitate a secure experience. Temkin put it well: "there is no need to sacrifice relevant advertising and monetization in order to deliver a private and secure experience."

Do Australian websites require a consent popup?

The necessity of a consent form depends on your website audience, regional regulations and your commitment to user transparency.

Does your website have EU or Californian website traffic? 

Privacy changes in those locations has led to 'Google Consent Mode'. The latest version, Google Consent Mode V2 will be mandatory by March 2024 for any websites with Californian or EU audiences that use Google Analytics 4, Google Ads or Floodlight tracking pixels. Failure to comply may result in a breach of Google's user consent policy which can lead to a terminated account. For advertisers, that's a nightmare - all that historical data, gone.

You don't necessarily have to have a consent pop-up on your website if your website is designed for Australian audiences, but it is expected to become compulsory at some stage.

There has been a review of the rather dated 1988 Privacy Act that has resulted in a proposed framework that will require privacy be built into products and services from the start. This review considered a whole draft of updates, including default privacy settings, overseas data flows and changes to small business exemption.

The Australian Government is currently consulting with stakeholder groups before drafting legislation to go before parliament this year.

In a September press release Australian Information Commissioner and Privacy Commissioner Angela Falk warned reforms will "enable individuals to exercise new privacy rights and take direct action from the courts if their privacy is breached" The Office of the Australian Information Commissioner (OAIC) is also seeking greater power to resolve privacy breaches.

Basically, this means you don't necessarily have to have a consent pop-up on your website if your website is designed for Australian audiences, but it is expected to become compulsory at some stage. If in doubt, check with a legal professional.

Cookie consent templates and plugins

A Google-certified CMP is possibly the easiest means to comply with privacy changes, but there are also cookie consent templates and plugins for various Content Management Systems (CMS):

• Webflow: Finsweet cloneable template. Details: Finsweet Cookie consent template. If you'd prefer to DIY, Webflow also offers instructions on how to create a consent banner.

• WordPress + Woocommerce: There are many WordPress plugins available. HubSpot offers a good overview of many of them.
• Shopify: Privacy & compliance app

Check what options integrate with, or are provided by your CMS. Test your consent form on a staging website before you go live to make sure you don't break your website.

What should my cookies consent banner look like?

UX experts recommend that your cookies consent banner is as user-friendly as possible, with preference management and a look and feel that is consistent with your website and branding. The form structure can depend on the country you're operating, but it's generally considered best practice to include explicit consent, rather than implied consent. If you are using a CMP make sure this third-party allows you to use a form that aligns with your brand standards.

• Make your banner clear, concise and easy-to-read
• Align the form with your brand standards.
• Users should be told what data is being collected and why.
• Third-party data collectors must be named
• Removing permissions should be easy to find.
• Opt-in should be separate from the website t&c's

Usertesting.com offers some good UX tips for privacy rules.

This begs a mention: what shouldn't the consent form look like?

• Your consent banner shouldn't be so huge it blocks critical information
• It shouldn't be hidden from view, either
• User consent must be explicit, not implied.
• Cookie pop-ups should not be confusing or manipulate users into agreement.

Avoid any 'dark patterns' that trick people into clicking 'yes'. Not only will you frustrate users, but it makes your brand look dodgy. What's the point of compliance if not to support a credible reputation?

Will I need to store consent records?

It depends on the country you market in. For most websites, cookie laws don't require records of consent be stored, but you should be able to prove that consent occurred.

Impact on user experience (UX)

Many consider tracking options to contribute to a positive user experience but the pop-ups privacy changes demand are quite frankly, annoying.

Do I have to have a pop-up on my website to comply with privacy changes?

At this stage you can avoid having the annoying popups on your website by removing third-party cookies from your website. No third-party cookies means no Facebook Meta pixel etc.

USA Today is an example of a website that did this. They offered a 'European Union Experience' when GDPR first came into effect. This EU specific subdomain didn't collect any personal info via third-party cookies equating to no ads. No ads dramatically improved the website load times which is a big win for users, but a killer for a news publisher's business model.

Most businesses find that they need third-party cookies. USA Today ended up dumping the idea by blocking EU users all together. You can see this in the explanation from their website below. If you try to access their website from the EU, a notification reads, 'we regret we cannot make this site available to you'. This is an example of a website refusing visitors access their website if they don't accept cookies.

Cookies can be critical to multiple facets of a business - from improving customer experience to running campaigns to selling ads to maintain, in this case, the news service itself.

So yes, at this stage you can avoid annoying privacy pop-ups on your website by removing flagged cookies, but you'll want to weigh the choice up against its impact on other areas of your business.

If in doubt, check with a legal professional.

What happens if my website visitors don't accept website cookies?

The basic impact of a user refusing to accept website cookies is that their website experience will be slower. This is because the browser won't be 'caching' (remembering) what components of the site have already been accessed. For example, the user would need to re-enter their password to login to a website, rather than it being 'remembered'. An ecommerce website may not show products relevant to the user, but more generalized options.

Slower load times and less convenience means less sales. It's a big reason why business procrastinates on consent banners or avoids them all together.

Chrome's impact on marketing:

‍

Advertisers are addressing how businesses can weather the transition to a post-third-party cookie world. The deprecation is likely to have a significant impact on targeting and analytics, affecting how agencies deliver marketing outcomes for clients.

Attribution

For almost a decade we've had 'data driven' hailed as the holy grail but in 2024, it may be the year of guesstimation.

It's hard to review attribution models whilst the ad platforms are running experiments.

How will Google Chrome's cookie phase out impact SEO?

There's been a lot of memes floating around about the cookie phase out for advertisers, but the phase out is also likely to impact search rankings, organic traffic performance data and thus SEO service providers.

Privacy policies have long been a trust signal to search engines that the website takes data compliance seriously. Google wants to offer users reputable businesses, so in theory, the additional requirement of third-party compliance may impact your search engine rankings.

For SEO professionals, clients become nervous as soon as they see performance data drop and if third-party cookie alternatives aren't established, data sets will be impacted. The SEO sector will need to prepare clients for the change.

...it may look like organic traffic has dropped off, but it's the tracking that's 'dropped off'.

Here's how it works: for a tracking platform to record the source of origin, information needs to be sent from the browser to an analytics system. This means for marketers, and anyone else using website analytics, it may look like organic traffic has dropped off, but it's the tracking that's 'dropped off'. If there are no tracking codes, aka cookies, with permission to pass on data, or if your users are refusing to accept the cookies, the traffic will be categorised as, 'direct traffic' by default. As a result, direct traffic may look like it's on the rise, while organic traffic may look like it's on the decline.

SEO managers may cop the blame for the alleged decline in organic traffic, but it's important to know it may be these tracking issues impacting the website's performance data.

Since many third-party cookies will no longer be permitted to send data to their analytics platform, the phase out will mean attribution models need to be reset. Attribution has already faced a cascade of challenges with Google's new GA4 tracking roll out, so why not use this as an opportunity to revisit performance tracking altogether.

Start with an audit and you'll be one smart cookie.

How will Google Chrome's cookie phase out impact my ads?

The third-party cookie crack down requires adaption: advertisers must lean more on user consent, first-party data, contextual ads and alternative identifiers - all while respecting user privacy.

Impact on Google Ads

If you or a client don't have compliance aligned with Google's new privacy policies, you may face challenges in running effective advertising campaigns. Advertising platforms like Google Ads may disapprove accounts that violate its rules, including those related to privacy protection. There may be limitation on targeting options for ads, which is likely to reduce the effectiveness of advertising campaigns.

Ask your Google Ads service provider about turning on Enhanced Conversions for Web in Google Ads - this allows hashed customer data to be matched against Google's logged-in data. Based on the small uplift vs time spent implementing, we've found this is only really worthwhile for brands with a high volume of conversions, like ecommerce websites, or for those with a high average conversion value.

Depending on regional requirements, you may need to enable consent mode in Google Tag Manager - this enables Google to remember consent, so the popups don't keep coming up when a user revisits your site. You can also create a consent mode template in Google Tag manager.

Impact on Meta Advertising

Meta has already been heavily impacted by the Apple update that restricted the use of cookies for tracking on Apple mobile devices. It led to the creation of the Conversions API tool that helps advertisers use their own marketing data to optimise ad targeting, and its likely this API, built to respect people's privacy preferences, will get around the Chrome changes.

Tip: It's not recommended to connect Meta's conversion API on your lonesome, work with your web devs.

The Meta pixel does use third-party cookies, but it also used first-party cookies. You can check first-party cookies are enabled in Meta Events Manager, under the data sources setting tab.

Overall, how we advertise evolves but advertising principles always remain the same - deliver the right message, to the right person, at the right time.

Craft a privacy-forward future

As the third-party cookie phase out by Google reshapes the internet, businesses must proactively navigate the evolving privacy terrain. Stay ahead of the curve by recognising that marketing data will face flux this year. Review priority user journeys and collaborate with experts to review your tracking setup and attribution modeling. Prepare to implement relevant consent requirements for your business and ensure a smoother transition.